Cloud-based anti-virus is growing in popularity. It has a number of advantages over traditional anti-virus, including a smaller footprint on the user’s hardware. One of its greatest strengths, however, is its potential. As it continues to grow in popularity, the value of its ‘reputation’ based malware detection increases. As soon as a new malware strain is discovered on any one of its users’ systems, it is reported back to the vendor, rapidly analyzed and classified, and included in the overall detection database. Protection against this new malware strain then becomes available to all users throughout the world within hours.
But Matthias Luft of ERNW comes to a worrying conclusion on cloud anti-virus: “If someone pulls the network cable of the system, there is no more malware protection in place.” He was doing a penetration test on a mobile device to see if it could provide malicious access to the corporate network, and was specifically trying to by-pass Trend Micro OfficeScan. Trend Micro and Panda Security are two of the leading proponents of cloud based anti-virus. If Luft is correct, then the whole premise of their products is questioned.
Luis Corrons, technical director at PandaLabs takes issue. Firstly, he says, “Panda Cloud Antivirus has a local cache, so even when you are not connected to the network, files are scanned locally.” But anyway, he adds, “if an attacker has physical access to the computer, switching off the antivirus protection – cloud or old-fashioned – will not be an issue.”
Rik Ferguson, a director of security research at Trend Micro, goes further. He states categorically that “any product which utilizes the Smart Protection Network (web, mail and file reputation in the cloud) is fully protected whether online or offline.” This is because the local agent contains a series of local technologies, including file pattern data, cached server responses, heuristics and behavioral technology designed to minimize the number of queries that need to be sent, even when online.
When a system is offline, he explains, “it still benefits from all the same intelligence that it had the moment before the cable was pulled; which in essence is the same as an AV solution that uses traditional pattern updates.” Furthermore, he adds, “any file flagged as suspicious will be queued for rescanning later when the connection is restored, just in case newer intelligence marks it as malicious.” File analysis is performed on the local machine, and only where a file appears suspicious but has no local detection is a query sent to the cloud, whether that’s a private cloud or Trend Micro's cloud.
“The conclusion,” says Rik Ferguson, that ‘if someone pulls the network cable of the system, there is no more malware protection in place’ is entirely false and unsubstantiated.”